Rob Crittenden wrote:
NSS collects all certificates in the SSL message, and then tries to build a valid chain. To successfully validate, NSS must have at least one cert in the chain which it trusts (typically the root cert).Eddy Nigg (StartCom Ltd.) wrote:Nelson Bolyard wrote:Nelson, what about the env variables as in http://httpd.apache.org/docs/2.0/mod/mod_ssl.html Does mod_nss support the same naming convention? And is NSSEnforceValidCerts equal to SSLVerifyDepth (with correct depth)?Does serf use "modSSL"? If so, there is a "modNSS" that causes Apache to use NSS instead of OpenSSL. That might be an easy change for you.There is no equivalent for SSLVerifyDepth. My understanding of how intermediate CAs are evaluated in NSS is admittedly sketchy but I believe it requires all of them to be installed and trusted.
NSS follows the normal PKI rules about VerifyDepth (based on basic constraints of the cert) except one: NSS does have a hard limit on the size of the chain of 20. I know of no case where anyone has actually hit the NSS hard limit, which is there to deal with pathelogical cases like loops.
Of course some of what I just said is likely to change with the new PKIX code going in.
bob
rob _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
